 |
|
Brief product description
NetProwler is a network-based IDS. It protects e-business by continuously watching IP based network segments for patterns of misuse or abuse.� If these systems are threatened, NetProwler can notify you and even take precautionary actions to prevent information theft or loss.
Architecture
NetProwler is designed using a 3-tier architecture with Agents, Manager and the GUI console
At what layer of the protocol stack is the product working?
NetProwler is not bound to the NT Operating system stack. The NetProwler Agent driver uses an IP stack that has been specially developed to conceal the Agents presence from the network. NetProwler can monitor the entire IP packet from the Network layer on up.
Documentation
The NetProwler product is shipped with a hard copy set of Release Notes, Installation Manual and User Guide.� The documentation is also available on the CD-ROM media in Acrobat PDF format.�
What are the minimum/recommended console OS and hardware requirements? Is a dedicated machine required/recommended? Will it work on Windows 2000?
Supported Manager Platforms
Windows NT���� 4.0�
Requires: PII 300mhz 128 MB RAM, 70 MB Disk Storage + 50 to 500MB Additional Storage to hold NetProwler events and configuration information
Supported Agent Platforms
Windows NT���� 4.0
Requires: PII 300mhz 128MB RAM, 50-100 MB Disk Storage + 50 to 500MB Additional Storage to hold NetProwler events and configuration information�
Supported Console Platforms
Windows NT�� 4.0 - 2000+
Requires: PII 300mhz 128 MB Ram, 10MB Disk Storage�
A dedicated machine is recommended for each Agent and Manager Component. The Console can be installed on any workstation.�
What are the minimum/recommended agent OS and hardware requirements? Is a dedicated machine required/recommended? Will it work on Windows 2000?
As above
What components are installed on a detector
NetProwler installs a packet level driver and accompanying files for the SDSI attack detection engine, logging, authentication, encryption and a GUI.
Which network types are supported
NetProwler Supports 10 and 100mb Ethernet
Any specific recommendations for monitoring Gigabit networks with your product?
AXENT recommends evaluating the network environment and placing multiple agents in critical areas to provide coverage. AXENT is currently teaming with 3rd party vendors to bring a complete Gigabit solution to market.
Which OS platforms are actively monitored?
NetProwler monitors network traffic and identifies common attempts to exploit known vulnerabilities on numerous operating systems and applications, including Unix, Linux and VMS.� It can also identify company-specific applications through its attack signature definition interface. While the Network IDS solution is not tied to any specific OS, it monitors all network based traffic, NetProwler will detect and apply OS specific signatures to the following types of operating systems:
Windows 95/98/NT/2000, Macintosh, Linux, AIX, HP-UX, Solaris, SUN-OS, BSDI BSD/OS, OSF 1, Free BSD, IRIX, NET BSD, OpenBSD, SCO UnixWare, Ultrix, VAX/VMS, SCO OpenServer, Netware�
Can sensors/detectors be deployed and configured initially from a central console?�
Sensors (Agents) can be configured from a central console. Agents must be directly installed on the intended host machine.
Once deployed and configured, can sensors/detectors be managed from a central console?
Sensors (Agents) can be managed from a central console.
Authentication between console and engines – Is it available? What algorithm/key lengths?
All communications between the Agent, Manager, and Console are secure via an authenticated Diffie-Hellman handshake, 56 bit Blowfish encryption and digital signatures using MD5.��
Secure logon for policy management?NetProwler supports password authenticated administrative consoles so that only privileged administrators can control the system.��
How are policies distributed to engines?
The NetProwler Manager is responsible for automatically� pushing all configuration and policy changes to each Agent via secure transports.
How are policy changes handled? Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?
The Manager is a centralized repository which contains event and configuration data. The Manager is also responsible for automatically directing and deploying the configuration policies to the Agents. In addition, the Manager collects and compiles the event and alert information and makes this available for review on the Console. Any changes to policy are automatically deployed to the Agent which is responsible for implementation.
How many attack signatures?
Currently NetProwler has over 200 attack signatures.
Can the administrator define custom attack signatures?
Yes.� Administrators can extend NetProwler’s capabilities by utilizing its custom attack signature definition (ASD) user interface and its attack definition wizard help. The interface supports drag and drop key words, reserved keywords(related directly to the IP protocol), arithmetic operators and strings to build immediately deployable definitions without requiring programming. This tool allows for complex and sequential based attack signatures to be created and automatically deployed, not just simple string searches.
How are new attack signatures obtained and deployed?�
NetProwler’s signature update feature is called Signature Sync. This feature provides automatic web-download services. The signatures are intelligently distributed to ALL of the NetProwler Agents, and assigned to all of the proper systems. This of course all happens real-time for the Agents which never stop protecting the network to which they are assigned
Frequency of signature updates? Provide dates of all updates in the last year.
AXENT’s signature update team, SWAT has released 7 signature updates this year.
Security Update 13 08/09/2000�
Security Update 12 05/08/2000�
Security Update 11 04/26/2000�
Security Update 10 03/29/2000�
Security Update 9 03/10/2000�
Security Update 8 02/11/2000�
Security Update 7 02/10/2000
What infrastructure do you have behind the signature update process
The Axent SWAT team, dedicated and separate from the product development team, researches security issues and vulnerabilities and creates new signatures for all of AXENT’s signature related products. There is a dedicated website at www.axent.com/swat .
Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?
The update files can be placed upon and then downloaded from a local web server. The update only needs to be imported once into the centralized Manager, which then automatically deploys the new signatures to all of the Agents.
Can signature updates be scheduled and fully automated?
While the signature update process is fully automated (see question above) currently the initial download is manual.
What network protocols are analysed?
NetProwler supports TCP/IP on 10 and 100mb Ethernet networks
What application-level protocols are analysed?
NetProwler is not dependent on application level protocols, it can look at all IP based traffic including all application level protocols.�
Can the product perform protocol decodes?
NetProwler can decode FTP, TELNET, SMTP, POP3, chat, rshell, and rlogin for session display.
Can the product perform session recording on suspect sessions?
Yes
Block/tear down session?
NetProwler’s proprietary TCP/IP driver/stack, can create, on the fly, all necessary packets to stealthily send TCP/IP resets to any server. These packets contain only the information that the client would normally send when it would stop the session. Upon he receipt of the RST packet, the sever will shut the session down.
Ability to monitor user-defined connections (i.e. report on an FTP connection to a specific server?)
NetProwler has the ability to monitor any user-defined session, including custom applications.
Monitor changes in critical system files?
This is a host based function. Axent’s host based product ITA ,covers this area.
Monitor changes in user-defined files?
This is a host based function. Axent’s host based product ITA ,covers this area.
Monitor changes in Registry?
This is a host based function. Axent’s host based product ITA ,covers this area.
Monitor unauthorised access to files?
This is a host based function. Axent’s host based product ITA ,covers this area.
Monitor administrator activity (creation of new users, etc)?
This is a host based function. Axent’s host based product ITA ,covers this area.
Monitor excessive failed logins?
Yes. NetProwler has signature designed to monitor failed logins.
List any other resources/locations that are monitored.
NetProwler monitors entire network segments for all traffic.
Track successful logins, monitoring subsequent file activity, etc?
This is a host based function. Axent’s host based product ITA ,covers this area.
Detect network-level packet based attacks?
Yes.
�Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
NetProwler currently detects syn, udp, and full connect based scans.
Detect and report on nmap OS fingerprinting?
Yes.
Perform packet reassembly? Resistance to known IDS evasion techniques?
NetProwler does not currently perform reassembly. Future releases will address this feature.
Reconfigure firewall? If so, which firewall(s) and how?
The NetProwler Agent has built in functionality to harden Raptor and Checkpoint FW-1 firewalls. For Raptor, NetProwler uses the Raptor designated methodology for firewall hardening, including authenticating to the Raptor, and sending the information by encrypted mean. For Checkpoint, NetProwler uses the OPSEC compliant SAMP protocol to send the hardening commands. NetProwler is OPSEC 4.0 compatible.
Option to record everything for “forensic” investigation? Where is this data stored? How is it secured from tampering?
Yes.
Recorded data can be used for potential litigation or to facilitate the design
of new, custom attack signature definitions. It is stored on the Agent. File
based security is recommended for securing the data since encrypting the data or
otherwise modifying the data may render it inadmissible as evidence.
�
Reporting
from engine to console - range of action/alert options (detail these)
When
NetProwler identifies an attack, it can log
the event, terminate the session, harden a Firewall, and notify an administrator
via pager, SNMP or email. It can also start another program, record the session,
forward event notification to the AXENT Intruder Alert manager and console to
update its dynamic summary, and graph reports.�
In addition, it can update SNMP management consoles through the Intruder
Alert Manger.� All of these response
configurations are fully determined by the administrator.
�
What
provision is made for temporary communications interruption between detector and
console? Where are alerts stored? Is the repository secure?
NetProwler
Agents are self contained units. If at any time communication links between the
Manager and Agents are severed(detected via heartbeat monitoring) , the Agent
will continue to provide IDS services.� Thus,
any events being collected by an Agent will be reported to the Manager
immediately upon resumption of Agent to Manager connectivity.
�
Can
alerts be reported to the central console in real time without the use of third
party software? How easy is it to filter and extract individual events?
Agents respond to events in real-time and pass alerts of the events to the Manager directly, through secure transport. NetProwler includes a find alerts option which allows the database to be queried. Criteria includes alert type, specific signature names, agent names, priority, attacked system, attacking system, port number, date and time.
Does the software offer advice on preventative action to ensure the attack does not happen again?
Yes. Attack signatures include detailed information about the attack and direct signature specific links to the SWAT website. That site includes references to CERT, BugTraq, CVE, SANS and other sources as well as counter measures directly related to the attack
Integration with other scanning/IDS products?
NetProwler includes event level integration with Intruder Alert.
Log file maintenance – automatic rotation, archiving, reporting from archived logs, etc.
NetProwler provides the facility to purge the SQL database. Other database maintenance functionality can be� achieved through the included SQL database tools.
Management reporting – range of reports/custom reports/how easy is it to filter and extract detail? Different reports for technicians and management/end users?
NetProwler
has extensive reporting capability. Included out of the box are many
preformatted reports that cover a wide variety of system aspects. There are
pre-formatted reports designed for system administrators, accountants, and
executives. In addition, the customers can use their own Crystal Report
templates directly from the NetProwler Report Wizard. This allows the customer
to extract exactly the information they desire, and format it to their own
specifications.�
Report management – can they be scheduled for automatic production? Can they be e-mailed to administrators or published straight to a Web site?
NetProwler supports the scheduling of reports from interval (minutes/hours) to daily to monthly. Reports can be emailed to administrators. A command can be spawned upon the generation of the Report, and that command could include the publishing of files to a website. The reports are placed with the centralized manager and are available to all of the authorized NetProwler consoles.
What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
NetProwler can consolidate information from each detector into a single report, which includes information about attacked servers.
Define custom reports?
Customers can use their own Crystal Report templates directly from the NetProwler Report Wizard. Standard SQL tools can be also be used to extract the exact dataset required.
How is it licensed? How is the license enforced?
The following license types are available:
Evaluation licenses that incorporate expiration dates. This is included in the product. The applications can be run unhindered for 45 days from the time of installation.
Permanent licenses that are applied to a specific manager and agent systems. Each license represents installing the application on a single host machine.��
NetProwler consists of the following components: NetProwler Agent, NetProwler Manager, and NetProwler Console. The Windows NT Console and Manger are “Free” – AXENT does not charge for the NT console or manager and the customer can install and run as many consoles as they wish.��
The Customer can purchase a version of the product called NetProwler Enterprise, available in three licensed tiers based on the number of nodes monitored by the Agent . In the Enterprise version all three components are delivered on the same CD.� In addition, each Enterprise CD also contains an Intruder Alert Manager and Agent.�
End user pricing information�
The NetProwler Enterprise versions� are $2,995- $8995US depending on the number of nodes monitored by the Agent..� Console and Manager are� free. International pricing is available as a conversion from US dollars at the time of purchase.
Ongoing cost of maintenance/updates
Basic Maintenance: 15% of purchase price – Includes all product updates and 5x8 phone support
Extended Maintenance: 22.5% of purchase price – Includes updates and 7x24 phone support.
Click here
to return to the Axent NetProwler Review
Click here to return to the Axent NetProwler
Results
Click here to return to the IDS Index Section
Send mail to [email protected] with
|
�